CVE-2026-42233
Undergoing Analysis Undergoing Analysis - In Progress
SQL Injection in n8n Workflow Automation Platform

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42233
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
n8n n8n to 1.123.32 (exc)
n8n n8n 2.18.0
n8n n8n From 2.17.0 (inc) to 2.17.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the n8n workflow automation platform, specifically in the Oracle Database node's select operation. Before certain fixed versions, user-controlled input passed into the Limit field via expressions was directly inserted into the SQL query without proper sanitization or parameterization.

Because of this, if external input (such as from a webhook) is passed into the Limit field, an attacker could inject arbitrary SQL commands. This could allow the attacker to extract data from the connected Oracle database.

The issue has been fixed in versions 1.123.32, 2.17.4, and 2.18.1 of n8n.

Impact Analysis

This vulnerability can allow an attacker to perform SQL injection attacks on the Oracle database connected to the n8n platform.

As a result, an attacker could exfiltrate sensitive data from the database, potentially leading to data breaches.

Such unauthorized data access could compromise the confidentiality and integrity of your data and systems.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade n8n to one of the patched versions: 1.123.32, 2.17.4, or 2.18.1.

Avoid passing external or user-controlled input directly into the Limit field of the Oracle Database node's select operation until the upgrade is applied.

Compliance Impact

The vulnerability allows an attacker to inject arbitrary SQL and exfiltrate data from the connected Oracle database. This unauthorized data access could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on personal and sensitive data to prevent unauthorized disclosure.

Specifically, if sensitive or personal data governed by these regulations is stored in the affected Oracle database, exploitation of this flaw could result in non-compliance due to data breaches or unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42233. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart